A Quick Look at the 2020 Threat Landscape

There’s no doubt 2020 has already been a turbulent year: COVID-19, civil unrest, contentious elections, widespread economic instability, and major natural disasters like wildfires and hurricanes across the US are just a few of the major events making headlines. While digital threats often echo real-world events, perhaps none has had a greater impact on the threat landscape this year than COVID-19.

As municipalities adopted social distancing measures and many workers shifted to remote work, threat actors pivoted to exploiting remote work-related vulnerabilities. Virtual meeting lures gained popularity in March and April, when many government-mandated lockdowns were at their most restrictive. Actors often impersonated entities like the World Health Organization (WHO) or the Centers for Disease Control (CDC) to distribute malicious files or links under the guise of being COVID facts sheets or related information. While COVID didn't cause an increase in threat volume, it led many actors to rebrand their often more generic lures (e.g., “view your invoice”, “there’s an issue with your account!”, etc.) to prey on recipients' fears about COVID-19.

However, despite shifts in tactics to exploit COVID-19, much of the threat landscape remains similar to what we have observed in the past. Email remains the top threat vector, with many options for weaponization: URLs, attachments, social engineering, or any combination of those can be easily used for malicious purposes and distributed via email.

Figure 1: Malicious URL and malicious attachment volume for August 2020

URLs continue to be the most popular delivery mechanism for malware and credential phishing attacks (Figure 1). Cloud providers and document hosting sites make standing up a fraudulent site or uploading malicious files for distribution a trivial task, with the bonus that most organizations are unable to block the major providers outright. Using these services also provides a veil of legitimacy to suspect URLs, as many benign files are regularly shared via services like Sharepoint and Google Drive.

Figure 2: Malicious files by extension for August 2020

Despite the popularity of malicious links, weaponized attachments aren’t a thing of the past. PDFs remain the most popular attachment choice, with Microsoft Office files coming in second (Figure 2). PDFs often contain links to malicious sites or downloads, while Office documents rely on macros or embedded objects. More recently, Proofpoint researchers have observed use of XL4 macros and template injection. Exploitation of known Office vulnerabilities, like CVE-2017-11882 and CVE-2017-0199, remains common.

Figure 3: Message volume by malware family, January 2020 - August 2020

Emotet, AgentTesla, Dridex, Get2, and TrickBot were dominant malware variants observed in early 2020. AgentTesla and Dridex remained popular throughout the spring, while Emotet took a notably long vacation and disappeared from the threat landscape in February (Figure 3). When Emotet returned on July 17, 2020, they were immediately back to their previous volume and tactics, with minimal changes. Ransomware as an initial payload also reemerged over the summer, with Avaddon and other strains of malware delivered via lures leveraging COVID-19.

Figure 4: Message volume by exploit type, January 2020 - August 2020

Even considering the variety of technical vulnerabilities and exploits available to threat actors, social engineering continues to be the most widely used technique–often paired with another exploit–because it remains effective (Figure 4). Particularly in the time of COVID-19, when stress levels are increased and distractions abound, threat actors know that their targets may be even more susceptible to social engineering than under more normal circumstances.

Though the threat landscape remains relatively unchanged overall, 2020 has brought tremendous challenge and change for many. Threat actors are aware of our collective strained attention and additional stress. They also know many are working from home with suboptimal network configurations that offer less security than an enterprise, in-office network might. Combined, these factors make an ideal environment for actors to maintain their same tactics and techniques with minimal change, while still seeing successful malware installs and credential phishing expeditions.